Securing The Reputation Management
in WINNOWING P2P Scheme
Nawaf Almudhahka
Matthew Locklear
Agenda
•
•
•
•
•
•
•
•
•
•
Overview
Motivation
Assumptions & Threat Model
Approach
Security Analysis of TVC
Model Description
Results
Conclusion
Future Work
Questions
Overview
• WINNOWING is DHT-Based P2P file sharing system in which
the peers maintains index records (file related info).
• The index records are maintained Index Nodes (IN hereafter)
and have two types:
1. Content record:
<H(file), publisher info(IP, clientID, TCP_port) >
Keyword record:
<H(keyword), H(file), metadata>
2. The value H(file) is the content key, while the value
H(keyword) is the keyword key.
Overview
• An owner of a file should place a request to the content
IN and the keyword IN before publishing a file.
• The INs verify that the publisher is from a live (nonspoofed) IP.
• Also, the keyword owning IN verify the contents of the
content key H(file) with the content key owning IN to
ensure that the publisher is not sending bogus content.
This verification is done by searching for the content
key and waiting for a valid reply.
Overview
Downloader
Keyword Key IN
Publisher
Content Key IN
KW PUB RQ
CONT PUB RQ
PUB VER RQ
PUB VER RES
PUB VER RQ
PUB VER RES
LOC VER RQ
LOC VER RES
CON PUB RES
Overview
Downloader
Keyword Key IN
Publisher
KW SEARCH
KW RES
CONT SEARCH
CONT RES
CONT DONWLOAD
FB REQ
FB RES
FB REQ
FB RES
Content Key IN
Issues in WINNOWING
• The user feed back records are maintained and distributed to
potential downloaders by the IN itself.
– Therefore, there are no guarantees on the integrity and
the trustworthiness of the score published by the IN.
– User feedback records might be forged by the adverse IN
to reflect positive feedback.
– Adverse IN might advertise positive reputation (i.e. high
scores) about it self.
Issues in WINNOWING
• The scheme uses Imbalanced User Feedback Mechanism
(IUF) in which the downloader vote negatively by sending a
big file (few megabytes). This mechanism aims to:
– Penalize the adverse IN which publishes bogus index
records by exhausting its bandwidth when receiving the
negative votes from the downloaders.
– Discourage the downloaders from voting negatively to
reduce the impact of Reverse Voting attacks in
damaging the reputation of a benign IN.
– What if an adversary with super bandwidth resources
used that mechanism to exhaust an IN bandwidth and
buffer resources?
Motivation
1. Reputation counts a lot in P2P systems!
– It is the critical success factor to secure the P2P network
against the polluters.
– Assign the responsibility of maintaining the user
feedback records (votes) to a trusted entity.
• Secure storage for the downloaders’ votes.
• Trusted issuance of reputation reports (score
certificates).
Motivation
2. Bandwidth penalty is costly.
– It affects all hosts in the domain (not only the
bad guy) and it hurts a lot if employed in
performing DoS attacks.
• Reduce the threat of employing the IUF
mechanism in launching DoS attacks while
preserving the same penalizing Impact.
• Let the downloader pay a cost of a resource that
does not directly affect the IN (i.e. other than
bandwidth).
• Penalize the IN that receives a negative vote
without affecting its bandwidth.
Assumptions & Threat Model
Active Members
Attacks
Downloader/Benign Voter
IN Insertion
Benign IN
Reverse Voting
Adverse Voter
DoS
Adverse IN
Score Forgery
Assumptions & Threat Model
Attack
IN
Insertion
Reverse Voting
Score Forgery
DoS
Committer
Adverse IN
Adverse
Voter(s)
Adverse IN
Adverse
Voter(s)
Victim
Downloader
Benign IN
Downloader
Benign IN
Index Node Insertion
Adverse IN
Potential
Downloaders
An adverse IN distributes bogus index records in the P2P system.
Reverse Voting
Colluding Voters
Adverse
IN
A single or multiple colluding voters target a benign index node by
voting negatively to it aiming to decrease its score and hurt its
reputation in the system.
Reverse Voting
Colluding Voters
Benign IN
A single or multiple colluding voters target a benign index node by
voting negatively to it aiming to decrease its score and hurt its
reputation in the system.
Score Forgery
Victim
Downloader
Adverse IN
Potential
Downloaders
An adverse index node forges the negative vote records it has
received so it reflects a good score (and hence, reputation) to the
potential downloaders and attracts them to its bogus index records.
Approach
• Introduce Trusted Voting Center (TVC) that is responsible for
the following:
– Receiving, storing, and maintaining the downloader votes
for a group of INs.
– Producing score certificates periodically and distributed
them on the relevant INs.
– Preserving the penalty concept introduced by WINNOWING
on both: negative voters and INs.
Approach
• TVC addresses the main three issues in WINNOWING’s
reputation management:
– Minimize the potential of DoS and Reverse Voting
attacks.
– Guarantees the integrity of votes and scores.
– Reduce the impact of IN Insertion.
Assumptions (TVC)
• It is sufficiently secure server that cannot be compromised
by the adversaries in the system.
• It has sufficient bandwidth, memory, and computational
resources.
• The TVC uses PKC to sign the score reports that it generates,
which protects these score reports against .
• The overall system is assumed to be sufficiently synchronized
with an authentic global time service.
TVC Overview
TVC
Downloader
Publisher
CONT DNLD
USR FEEDBACK REQ
CLIENT PUZZLE
PUZZLE SOL, VOTE
SCORE READY ANNOUNCEMENT , CLEINT PUZZLE
PUZZLE SOLUTION
SCORE CERTIFICATE
Content Key IN
Voting Process
Previously voted for
the same index node
Voting Request Received
No
Create and send the
puzzle to the voter.
Set puzzle
hardness as
default.
Puzzle solution
received.
Retrieve User's
History and set
the puzzle
hardness
Puzzle Solution
Timed-out?
No
Check the requested
vote type.
Yes
Positive
Negative
Verify the
solution.
Incorrect
Correct
Yes
Ignore the
Vote
Compare the sent
vote type with the requested
vote type.
Mismatch
Match
Process the Vote
Update the User
Profile
Record a “bad
behavior” incident.
Score Reporting
1: Retrieve the Index Node
Score
2: Set the certificate validity
and the puzzle hardness based
on the Index Node score.
4: Inform the Index Node about
the certificate and send the
puzzle to it.
3: Issue a digitally signed score
certificate
5: Puzzle solution received.
6: Verify the solution.
Correct
Incorrect
7a: Send the certificate.
7b: Don’t send the
certificate.
8: Wait for the new cycle.
Score Reporting
Adverse IN
Users
TVC
T0
T1
T2
T3
Security Analysis of TVC
Resilience to IN Insertion Attack
Resilience to Reverse Voting Attack
DoS Mitigation
Security Analysis of TVC
1. Resilience to IN Insertion Attack:
• Adverse INs eventually converge to a low score due
to guaranteed integrity of votes.
• Eventually filters out bogus index records due to
zero-validity score threshold.
• TVC signature of score certificates prevents forgery
of certificates.
Security Analysis of TVC
2. Resilience to Reverse Voting Attack:
• TVC ensures votes are from a live IP and are unique per
index record.
• Very limited impact if colluders try to boost an adverse
IN score or reduce benign IN score.
• Negative votes result in high computational cost.
Security Analysis of TVC
3. DoS Mitigation:
• TVC preserves the server resources by only processing
unique votes from legitimate voters.
• The vote message is of a small size (~1 KB) which
adversely reduces the impact of DoS on the server.
• Increased computational cost towards voters for
successive bad behaviors.
Model Description
Resilience to IN Insertion Attack
Reduction in DL Failures Due to Adverse IN – Analytical Model
Resilience to Reverse Voting Attack
Benign IN Reputation Protection – Analytical Model
DoS Mitigation
OPNET Simulation
Model Description
1. Reduction in Download Failures Due to Adverse IN
• Global time interval i.
• IN starts with perfect score of 100.
• Peer arrivals to system Poisson distributed with mean λ per
interval.
• All arrivals in valid interval seek to download from adverse IN.
• All downloads attempted via adverse IN fail.
• AIAD scoring scheme employed.
Model Description
Pwilling neg. vs. Score
1
0.9
0.8
Pwilling neg.
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0
20
40
60
Score
80
100
Model Description
Results
DL Failures Due to Adverse Index Node
40
Winnowing Scenario
TVC Scenario,  = 25
download failures
35
TVC Scenario,  = 30
TVC Scenario,  = 40
30
25
20
15
10
5
0
0
10
20
30
40
50
60
70
80
90
100
time
•
•
Consistent DL failures due to adverse IN in WINNOWING.
DL failures in TVC decrease and eventually cease once zero-validity score
threshold reached.
Results
Benign Index Node Score
100
TVC Scenario, k = 45
Winnowing Scenario, k = 45
TVC Scenario, k = 60
Winnowing Scenario, k = 60
TVC Scenario, k = 75
Winnowing Scenario, k = 75
90
80
score
70
60
50
40
30
20
10
0
0
5
10
15
20
time
•
•
Liar farm remains effective in WINNOWING scheme
TVC allows for quick recovery of IN score after liar farm exhausts votes
Results
• Computational cost vs.
bandwidth cost results in a
fruitful impact on server
resources.
• Service queue size
exponentially smaller in TVC.
Conclusion
1. TVC guarantees integrity of users’ votes and IN score reports.
• Mitigates long-term effects of IN Insertion Attack.
2. TVC guarantees isolation and effective lock-out against adverse
voters
• Adversely decreases effects of Reverse Voting Attack.
3. TVC client puzzle approach guarantees all votes received from
live IPs.
• Dramatically reduces effectiveness of DoS Attack.
• Requires exponentially more colluding users to be as
effective as the DoS against WINNOWING scheme.
Future Work
1. Performing more advanced analysis to make adaptive and
more efficient decisions in dealing with voter feedback.
2. Enabling the joint detection of colluding voters based on
group behavioral patterns:
• Isolate potentially large liar farm before benign IN’s
reputation is corrupted.
3. Dealing with scalability issues with a large number of
peers in single server system:
• How to map index nodes to multiple TVCs in larger
systems?
Thank You
Questions & Comments